Tech Off Thread

3 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Windows Scripting Security

Back to Forum: Tech Off
  • User profile image
    sysrpl

    When taking advantage of Microsoft's scripting engine COM objects such as hosting VBScript from within an application, is there a preferred way to deny the usage of CreateObject?

    I seem to recall something about this years ago where Microsoft enhanced the design of their scripting engines to handle this security issue, but I can't find the method/flag/documentation that describes having searched both msdn and google.

    If anyone could point me at the correct reference with regards to this security issue, I'd very much appreciate the help.

    Thanks.

  • User profile image
    RichardRudek

    As noone else seems to be chimming in, I'll stick my neck out... Smiley

    In the recent past, I've casually looked into hosting the scripting engine, and a quick perusal over the MSDN docs is awakening some ideas that I had, then. But with your specific requirements, let see if we can drum something up.

    Now, specifically being able to prevent  the usage of the CreateObject function. Hmm, it sounds hard.

    Initially, is sounds like it would be great if the scripting engine exposed some callback interfaces that allowed the host to participate in the parsing of the script. But the problem with that is that the host would now have to be aware of the pariticular scripting engine, and thus the scripting language. I know of three: VBScript, JScript and Perl... ACK !

    OK, so rather than participating in the parsing, how about being able to configure each engine, having some kind of white or black list of allowable functions or statements ? Same, ugly problem.

    In short, whilst you might be able to achieve a way of pre-validating a script (via the debugger interfaces), or having the host particiate in the parsing of script, it quickly becomes butt ugly, and probably fragile.

    That leaves us with using the underlying security system. That is reducing the host's permissions, so that creating (COM) objects causes Windows to throw exceptions. And that is what I'd probably look into.

    PS: there is a .NET variation of the Script Host, that (on the surface) seems like a better alternative. Obviously, requiring .NET on the client platform, though.

  • User profile image
    Pace

    Sorry my answer is not very helpful but seeing as you are discussing it you might find this link useful; http://www.microsoft.com/technet/scriptcenter/default.mspx

    (if you dont already have it)

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.